(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property Organization 

International Bureau 

(43) International Publication Date 
14 February 2002 (14.02.2002) 




PCT 



(10) International Publication Number 

WO 02/13025 Al 



(51) International Patent Classification 7 : G06F 13/14 

(21) International Application Number: PCT/AU01/00962 

(22) International Filing Date: 7 August 2001 (07.08.2001) 

(25) Filing Language: English 

(26) Publication Language: English 



(30) Priority Data: 
PQ 9240 



7 August 2000 (07.08.2000) AU 



(71) Applicant (for all designated States except US): 
SHARINGA NETWORKS INC, [US/US]; 1310 King 
Street, WILMINGTON, DE 19801 (US). 

(72) Inventors; and 

(75) Inventors/Applicants (for US only): WALKER, 
Matthew, Ian [AU/AU]; 14 Bonar Street, Heidelberg 
Heights, VIC 3081 (AU). YANDELL, Peter [AU/AU]; 39 
Best Street, Belgrave, VIC 3160 (AU). 



(74) Agents: WEBBER, David, Brian et al.; Davies Collison 
Cave, 1 Little Collins Street, Melbourne, VIC 3000 (AU). 

(81) Designated States (national): AE, AG, AL, AM, AT, AU, 
AZ, BA, BB, BG, BR, BY, BZ, CA, CH, CN, CO, CR, CU, 
CZ, DE, DK, DM, DZ, EC, EE, ES, Ft, GB, GD, GE, GH, 
GM, HR, HU, ID, IL, IN, IS, JP, KE, KG, KP, KR, KZ, LC, 
LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, 
MX, MZ, NO, NZ, PL, PT, RO, RU, SD, SE, SG, SI, SK, 
SL, TJ, TM, TR, TT, TZ, UA, UG, US, UZ, VN, YU, ZA, 
ZW. 

(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZW), Eurasian 
patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), European 
patent (AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, 
IT, LU, MC, NL, PT, SE, TR), OAPI patent (BF, BJ, CF, 
CG, CI, CM, GA, GN, GQ, GW, ML, MR, NE, SN, TD, 
TG). 

Published: 

— with international search report 

[Continued on next page J 



(54) Title: AN ACCESS SYSTEM FOR USE WITH LANS 



c5 




(57) Abstract: A method executed by an access system for enabling a client to access a communications network, the method 
including receiving an access request for a resource of the network, determining if the request includes a unique identifier for the 
client, removing the identifier and recording data related to the request using the identifier, when the request includes the identifier, 
and redirecting the request to instruct the client to store the identifier when the request omits the identifier. 



WO 02/13025 Al I Mil IDIIlli II lllill lllll Nil I IE 111 lllll Illll IIIII I1IH llll IIIIIH mi mi ran 



For two-letter codes and other abbreviations, refer to the "Guid- 
ance Notes on Codes and Abbreviations " appearing at the begin- 
ning of each regular issue of the PCT Gazette. 



WO 02/13025 



PCT/AU01/00962 



-1- 

AN ACCESS SYSTEM FOR USE WITH LANS 
Field of the Invention 

5 The present invention relates to an access system that can be used to provide access to a 
communications network, such as the Internet, for users of Local Area Networks (LANs). 
In particular, the present invention relates to a method of tracking a user's behaviour on the 
Internet when the user is accessing the Internet using a single BP address assigned to a 
LAN server. 

10 

Background of the Invention 

The providers of access systems for the Internet, such as ISPs and web publishers, ideally 
wish to obtain as much information as possible on the preferences and desires of users of 

15 their systems and services in order to meet the service expectations and wishes of the 
users. For instance, an access system, as described in the specification of International 
Patent Application No. PCT/AU00/00418 ("the access system specification"), enables the 
connection state of users to be adjusted and their behaviour and accessed locations 
recorded, primarily on the basis of the IP address that is dynamically assigned to a user that 

20 connects to the access system. This is effective for users that connect to the access system 
individually. The users of local area networks, however, generally use a network server to 
connect to an ISP f s access system and the LAN's server will be allocated one IP address for 
all of the network users of the LAN. This makes it impossible to discriminate between 
different users on the basis of the assigned IP address. Accordingly, it is desired to provide 

25 a system and method which alleviates the above difficulty or at least provides a useful 
alternative. 

Summary of the Invention 

30 In accordance with the present invention there is provided a method executed by an access 
system for enabling a client to access a communications network, said method including: 
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receiving an access request for a resource of the network; 

determining if the request includes a unique identifier for the client; 

removing the identifier and recording data related to the request using the identifier, 
when the request includes the identifier; and 
5 redirecting the request to instruct the client to store the identifier when the request 

omits the identifier. 

The present invention also provides an access system for enabling a client to access a 
communications network, including: 
10 means for receiving an access request for a resource and determining when the 

request includes a unique identifier for the client; 

means for removing the identifier and recording data related to the request based on 
the identifier; and 

means for redirecting the request to instruct the client to store the identifier when 
15 the request omits the identifier. 

The present invention also provides a network access system for executing: 

(a) if a TCP/IP request from a client includes an identifier associated with the 
access system, the identifier is removed from the request and the request is sent; 
20 (b) else if the request has a first key associated with the access system, the first 

key is removed, the request is sent, and data added to the response to the request to set an 
identifier in the client with a second key associated with the access system, for the domain 
of the request; and 

(c) else the client is directed to a server of the access system that returns a 
25 response to the client to set an identifier with a third key associated with the access system, 
for the domain of the server. 

Brief Description of the Drawings 

30 A preferred embodiment of the present invention is hereinafter described, by way of 
example only, with reference to the accompanying drawings wherein: 
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Figure 1 is a block diagram of a preferred embodiment of an access system 
connected to the Internet and a telecommunications network; 

Figure 2 is a message flow diagram for a process executed by the system for initial 
authentication; 

5 Figure 3 is a message flow diagram of a process executed by the system when 

accessing a new location; and 

Figure 4 is a message flow diagram of a process executed by the system when 
accessing a previously accessed location 

10 Detailed Description of Preferred Embodiments of the Invention 

An access system 2, as shown in Figure 1, includes a plurality of remote access servers 
(RASs) 4, a traffic switch 6, a proxy server 16, a local web server 17, a database server 19, 
and a router 8 that connects to a public communications network, such as the Internet 14. 

1 5 The RASs allow the computers 10 of remote users to dial into the system 2 using the lines 
provided by a standard telecommunications network 12 and connect to the input ports of 
the RASs 4, respectively. On connection to a port of a RAS 4, the RAS 4 and the user's 
computer 10 establish a unique session and IP traffic for that session is switched by the 
switch 6 so that it is controlled by the proxy server 16. Similarly a LAN server 20, which 

20 may comprise a Network Address Translation (NAT) server or a proxy server, is 
connected to a port of a RAS 4, and this may be a permanent connection over the network 
12. The LAN server 20 is assigned a single IP address for all TCP/IP traffic handled by 
the system 2, and there may be several thousand individual computers 22 for respective 
users connected using the server 20. All the components of the access system 2 may be 

25 standard components used by an ISP. Alternatively, the access system 2 may be the access 
system described in the access system specification. The system however is configured, 
and in particular the proxy server 16, switch 6 and web server 1 7 are configured, to include 
logic to execute the messaging process described below to track individual clients 22 
behind a LAN server 20. The logic may be provided by software code and/or hardware 

30 circuits to execute the messaging process, and as will be understood by those skilled in the 
art, the components of the logic may be distributed over a communications network. 
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When a client 22 initially enters a request for a particular location on the Internet 14, such 
as a Yahoo web server, the request including the Universal Resource Locator (URL) for 
the location is received by the proxy 16, at step 30, as shown in Figure 2. The proxy 16 
5 will then send back, initially, to the client browser a 302 redirect URL for the web server 
17, as shown in step 32, that includes the domain of the requested server, ie the URL of the 
requested page. This causes the browser at step 34 to issue a request including the URL 
for the web server 17 with the original requested domain. This is passed by the proxy 16 
to the web server 17 of the access system, which issues, at step 35, a 302 redirect to initiate 

10 the access system authentication process because the request omits a recognised access 
system identifying key, as described below. The 302 redirect includes a URL to redirect 
the client 22 to a login page for the access system. This causes the client to issue a GET 
http request for the login page at step 36. This is passed by the proxy 16 to obtain the login 
page, which may be served from the access system web server 17, at step 37. The web 

15 server 17 returns a login display page via the proxy server 16, at step 36 for display on the 
client's browser. The user then completes a form on the login page which is posted at step 
38 via the proxy 16 to the server 17. The server 17 then responds at step 40 with a 200 
message, after validating the login of the user, with a set cookie message for the client's 
browser that refers to the domain of the server 17 and contains a unique key, being a 

20 unique ASCII character string, for the client machine 22. This creates a cookie file or 
entry on the client machine 22 that enables the user to be tracked subsequently, as 
described below, and all their browsing activity recorded without any other servers on the 
Internet being aware that the cookie is present. The cookie, as described below, also only 
exists during the client's browser session on the access system. 

25 

After authentication, when a user wishes to go to a new site, as shown in Figure 3, such as 
a Yahoo server on the Internet 14, the client will send a request with a URL for the site, at 
step 50. This request does not include any information from the cookie as it is a request 
for a different domain than the domain of the web server 17. The proxy 16 on receiving 
30 the request determines that the access system cookie information is not included, and 
therefore returns to the client 22 a 302 redirect URL for the web server 17 with the URL or 
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domain of the requested site, at step 52. This again causes a redirect to the web server 17, 
but this time the cookie and unique key are returned to the server 17 with the URL for the 
server 17, at step 54. The server 17 in response returns a 302 redirect URL that includes 
the original http request, and a temporary key for the client machine 22, at step 56, as 
5 shown in Figure 3. A temporary key is used at this stage, instead of the unique key, as the 
key is visible on most browsers by virtue of the fact that it has been included in the URL 
for this part of the messaging process. The unique key is temporarily stored on the web 
server 17 and/or proxy 16 against the random temporary key that has been allocated for the 
client machine. The 302 redirect of step 56 is sent back to the client 22 via the proxy 16, 

10 and the client responds by forwarding a GET http request for the requested site that 
includes the temporary key in the URL identifying the client 22, at step 57. The GET 
request is received by the proxy 16, the key stripped from the URL and a record made of 
the location requested by the client. This is recorded in the database server 19 against the 
unique key for the client machine 22. The stripped request is then forwarded as a standard 

15 http GET request, at step 58 from the proxy 16 out onto the Internet 14 to the requested 
server, in this instance the requested Yahoo server. The Yahoo requested page is then 
returned from the Yahoo server, at step 60,and this is received via the proxy 16. The proxy 
16 then adds a set cookie message, as shown in Figure 3 at step 62, to return to the client 
machine with the Yahoo page. The set cookie message includes the requested domain and 

20 the unique key for the client 22. The cookie message ensures that a cookie is established 
for the requested, ie Yahoo, domain with the unique key used by the access system 2. 

Accordingly, when a client 22 requests a page from a previously accessed domain, as 
shown in Figure 4, the client will send a request at step 70 that includes the cookie for the 
25 domain with the unique key for the access system 2. The proxy 16 accesses the cookie and 
records the requested page in the database 1 9 against the unique key for the client 22. The 
cookie is stripped from the request by the proxy 16 and the request then forwarded onto the 
requested server on the Internet 14, at step 72. The server will then simply return the 
requested page, at step 74 via the proxy 16 to the client 22. 

30 

The messaging process which is executed by the proxy 16 can be represented by the 
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following if the web server 17 has the domain "fol.com": 

If the client request has the access system cookie or the request is to the fol.com 
domain 

remove the cookie from the request if it exists 
5 record the requested page against the key of the cookie if it exists 

get the requested page 
else if the request has an access system key in the URL 
remove the key 

record the requested page using the key 
10 fetch the page 

add a set-cookie header to the page with the access system key 

else 

redirect the client to http://foLcom/check ? URL=requested_page. 

15 An alternative, and in a number respects more efficient implementation, is for all of the 
steps executed by the web server 17 to be executed by the proxy server 16. This involves 
the proxy 16 acting as the web server for the fol.com domain that sets the identifying keys. 

Many modifications will be apparent to those skilled in the art without departing from the 
20 scope of the present invention as herein described with reference to the accompanying 
drawings. 
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CLAIMS: 

1. A method executed by an access system for enabling a client to access a 
communications network, said method including: 

5 receiving an access request for a resource of the network; 

determining if the request includes a unique identifier for the client; 
removing the identifier and recording data related to the request using the identifier, 
when the request includes the identifier; and 

redirecting the request to instruct the client to store the identifier when the request 
1 0 omits the identifier. 

2. A method executed by an access system as claimed in claim 1, wherein said 
redirecting includes sending a redirect instruction with at least part of the request to 
redirect the client to a server of the access system, and sending an instruction from the 

1 5 server to cause the client to store the identifier. 

3. A method as claimed in claim 2, wherein said redirecting includes executing an 
authentication process with said client before sending said instruction when a response to 
said redirect instruction omits said identifier. 

20 

4. A method as claimed in claim 2, wherein said redirecting includes sending a further 
redirect instruction with a temporary identifier and at least part of the request to redirect 
said client to the resource of said request, when a response to said redirect instruction 
includes said identifier. 

25 

5. A method as claimed in claim 4, wherein said temporary identifier is recorded 
against said identifier, is returned with a response to said further redirect instruction, and is 
used to access said identifier for storing said data related to the request. 

30 6. A method as claimed in claim 6, wherein said temporary identifier is returned in a 
resource locator for said resource. 
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7. A method as claimed in claim 2, wherein said identifier is a cookie key and said 
instruction is a set cookie instruction. 

5 8. A method as claimed in claim 5, wherein said identifier is a cookie key and said 
instruction is a set cookie instruction returned with said resource and a domain of said 
resource. 

9. A method as claimed in claim 3, wherein said identifier is a cookie key and said 
10 instruction is set cookie instruction returned after said authentication process and for a 

domain of said server. 

10. A method as claimed in any one of the preceding claims, wherein said request is a 
TCP/IP request. 

15 

11. An access system having components for executing the steps of a method as 
claimed in any one of the preceding claims. 

12. An access system as claimed in claim 11, wherein the components are of an 
20 Internet service provider. 

13. Computer program code on computer readable storage media for executing the 
steps of a method as claimed in any one of claims 1 to 10. 

25 14. An access system for enabling a client to access a communications network, 
including: 

means for receiving an access request for a resource and determining when the 
request includes a unique identifier for the client; 

means for removing the identifier and recording data related to the request based on 
30 the identifier; and 

means for redirecting the request to instruct the client to store the identifier when 
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the request omits the identifier. 

15. A network access system for executing: 

(a) if a TCP/IP request from a client includes an identifier associated with the 
5 access system, the identifier is removed from the request and the request is sent; 

(b) else if the request has a first key associated with the access system, the first 
key is removed, the request is sent, and data added to the response to the request to set an 
identifier in the client with a second key associated with the access system, for the domain 
of the request; and 

10 (c) else the client is directed to a server of the access system that returns a 

response to the client to set an identifier with a third key associated with the access system, 
for the domain of the server. 

16. A network access system as claimed in claim 15, wherein data for said request is 
1 5 recorded using said identifier when executing step (a). 

17. A network access system as claimed in claim 15, wherein data for said request is 
recorded using said first key when executing step (a). 

20 18. A network access system as claimed in claim 5, wherein said first key is temporary 
data included in a resource locator of the request. 

19. A network access system as claimed in claim 15, wherein said second key is the 
same as said third key. 

25 

20. A network access system as claimed in claim 15 or 19, wherein said identifier is a 
cookie. 
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